A risk-based internal audit programme is what ISO 9001 Clause 9.2.2 has required since 2015 — and most certified organisations have never built one. Every process audited once a year. Same scope. Same checklist. No documented rationale connecting audit frequency to process risk, corrective action trends, or performance data. The programme satisfies the clause. It produces nothing useful. A genuinely risk-based internal audit programme under ISO 9001 requires something most certified organisations have never built: a documented, data-driven frequency logic that connects audit planning to process performance.
ISO 9001:2015 Clause 9.2.2(b) already requires audit programmes to account for “the importance of the processes concerned.” Clause 9.2.2(d) requires them to account for “the results of previous audits.” These are not scheduling instructions. They are performance data obligations — and most certified organisations have never satisfied them in substance.
ISO DIS 9001:2025, published in August 2025, adds an explicit requirement for defined objectives per audit. That addition targets the documented pattern of compliance-mode audits that satisfy clause text but generate no actionable insight. Organisations running fixed-rotation programmes with no per-audit objectives face a structural gap the incoming revision was designed to expose.
What Clause 9.2.2 Actually Requires
ISO 9001:2015 Clause 9.2.1 establishes the baseline: the organisation shall conduct internal audits at planned intervals to provide information on whether the QMS conforms to requirements and is effectively implemented and maintained. The phrase “effectively implemented and maintained” is a performance test. An audit that confirms a procedure exists but does not evaluate whether it works fails this test.
Clause 9.2.2 then specifies what the audit programme must account for. Four inputs are mandatory:
Clause 9.2.2(a) requires the programme to be planned, established, implemented, and maintained — with “maintained” implying documented programme management against performance inputs, not annual date renewal.
Clause 9.2.2(b) requires the programme to consider “the importance of the processes concerned.” This is the risk-calibration requirement. A programme that audits document control and production at the same frequency, regardless of nonconformity history or product risk, does not satisfy it. The CB question this clause generates is direct: why is this process audited at this interval? The answer must reference process-specific data.
Clause 9.2.2(d) requires the programme to consider “the results of previous audits.” This creates a mandatory feedback loop. If a process produced three minor nonconformities in the previous cycle, the current programme should show increased frequency or scope focus for that process. If it doesn’t, the feedback loop the clause requires does not exist.
These requirements are not new. They have been in ISO 9001 since the 2015 edition. The gap is not in the standard — it’s in enforcement.
Clause references reflect mapped standard requirements confirmed via certification body guidance. Verify against the current edition before audit use.
Why Fixed-Rotation Schedules Persist
The structural failure has three root causes.
First, path dependency from initial certification. The audit programme designed for Stage 1 and Stage 2 — typically a uniform annual rotation covering all processes — becomes the permanent programme. It worked for certification. Nobody revisits it. The schedule is copied forward year after year with updated dates and no other changes.
Second, certification body acceptance patterns. No IAF mandatory document, CB guidance publication, or ISO Auditing Practices Group document defines what evidence constitutes a valid risk-based frequency determination under Clause 9.2.2(b). IAF MD 11:2023 governs CB audit duration calculations — it does not address internal audit programme frequency logic. ISO 19011:2018 Clause 5.4 requires a risk-based approach to audit programme management but provides no minimum evidence threshold for frequency adequacy. Without a prescriptive benchmark, CBs accept a written procedure that cites Clause 9.2.2(b) as conformity evidence. The procedure exists. Whether the logic was applied is not verified.
This is not a CB failure — it’s a structural gap in the normative framework. Auditors assess against requirements. Where the requirement says “take into account the importance of the processes” but no guidance defines what taking it into account looks like in evidence terms, a documented procedure is a defensible conformity finding.
Third, the absence of programme review culture. Clause 9.2.2(a) requires the programme to be maintained. Most organisations interpret “maintained” as “dates updated.” A genuine programme review would cross-reference the next cycle’s schedule against corrective action volumes by process, customer complaint trends, supplier nonconformity data, management review outputs, and any changes to the organisation’s risk profile. That review almost never happens. The data exists in the management system. The connection to the audit programme does not.
What Auditors Actually Find
The audit pattern is consistent across sources, though no IAF or CB statistical report quantifying nonconformity frequency at Clause 9.2.2 was identified during research.
Programmes show identical audit scope year-on-year with no documented frequency rationale. Audit scheduling runs independently of process KPI data, corrective action volumes, or customer complaint trends. Audit reports restate clause text rather than presenting process performance evidence — “the organisation has a procedure for X” rather than “the procedure for X was effective at preventing Y in the assessed period.” Corrective action records and internal audit planning operate in separate systems with no cross-reference.
The most telling indicator is the absence of per-audit objectives. Audit programmes define scope and criteria — which process, against which clause — but not what the audit is designed to determine. Without an objective, the audit cannot produce a directed finding. It confirms clause presence. It does not evaluate process effectiveness. The audit function becomes a compliance event, not a performance intelligence tool.
Ideagen’s 2025 analysis of internal audit programme failures identifies inconsistent data collection across sites and reactive compliance-checking — rather than proactive quality intelligence — as the dominant failure pattern in pre-transition programmes.
What ISO DIS 9001:2025 Changes
The draft international standard, published August 2025, adds an explicit requirement at Clause 9.2.2 for defined objectives per audit. Under the current 2015 edition, the programme must define scope and criteria. Under the DIS, it must also define what each audit is specifically designed to determine.
TÜV Austria Hellas confirmed in November 2025 that internal audit quality is a key change driver in the DIS, identifying the need for organisations to confirm audit objectives and review criteria to meet the new requirements. Quality Austria flagged the defined-objectives addition immediately upon DIS publication in August 2025.
None of this is conceptually new. ISO 19011:2018 Clause 5.4 already describes audit programme objectives as a foundational element. What the DIS does is convert a guideline-level expectation into a normative requirement within ISO 9001 itself — creating an evidence test that CB auditors must assess during transition audits.
The practical consequence is significant. An organisation running a fixed-rotation programme where every audit carries the same implicit objective — “verify conformance to Clause X” — now has a documentable gap. Identical objectives across all audits are evidence that the programme is not differentiated by process risk. The defined-objectives requirement becomes a probe for frequency logic adequacy: if objectives don’t vary, the programme wasn’t built from process performance data.
ISO DIS 9001:2025 content reflects the draft international standard published August 2025. Requirements may change before final publication.
The Coverage Gap That Created This Problem
The persistence of fixed-rotation programmes is not primarily an organisational failure. It’s a normative framework gap.
ISO 9001:2015 Clause 9.2.2(b) requires frequency to reflect process importance. It does not define how. ISO 19011:2018 Clause 5.4 provides a risk-based programme management framework. It does not define what evidence threshold separates a defensible frequency from a default one. No IAF mandatory document addresses internal audit programme frequency methodology. No major CB — BSI, LRQA, SGS, TÜV, Bureau Veritas — has published guidance defining what data inputs, scoring methodology, or evidence standard constitute an adequate risk-based frequency determination.
The result is a structural enforcement vacuum. A quality manager presenting a procedure that references Clause 9.2.2(b) satisfies most CB audit teams. No risk score, frequency matrix, or performance data record is required. The clause is technically assessed. The intent behind it — that high-risk processes receive more audit attention than low-risk ones — is not verified.
ISO DIS 9001:2025’s defined-objectives requirement partially addresses this gap by creating a per-audit evidence test. But the underlying methodology gap remains: even after the revision, no normative document will define what a risk-based internal audit programme must contain. Organisations that want a defensible programme will need to build the methodology themselves.
Converting a Fixed-Rotation Audit Programme to Risk-Based Design
The conversion is not a documentation exercise. It requires rebuilding the frequency logic from process performance data.
Build the Process Risk Profile
Map every process in the audit programme against three data streams: corrective action volume and severity over the previous two cycles, process KPI trends (scrap rates, customer complaints, delivery failures, incident rates — whatever the process measures), and changes to the process since the last audit (new equipment, personnel changes, scope expansion, supplier changes). Score each process on a simple scale — high, medium, low. The scoring methodology matters less than the fact that it exists and is documented.
Calibrate Frequency to Risk
High-risk processes get audited more frequently — twice per year or quarterly, depending on severity. Medium-risk processes maintain annual frequency. Low-risk processes extend to 18-month or two-year intervals, provided no triggers (nonconformities, complaints, changes) activate an earlier audit. Document the frequency rationale per process. The rationale is the evidence Clause 9.2.2(b) requires.
Define Per-Audit Objectives
For each scheduled audit, document a specific objective beyond “verify conformance.” Objectives should be performance questions: “Determine whether the revised supplier evaluation process has reduced incoming inspection reject rates since Q2 implementation.” “Evaluate whether corrective actions from the March audit have prevented recurrence of the packaging nonconformity pattern.” “Assess whether the new production line’s process controls are producing output within specification at the volumes planned.” The point is that someone reading the objective knows exactly what the auditor was sent to evaluate. Each objective is unique to the process context and the current risk profile. Identical objectives across audits are a programme design failure.
Build the Feedback Loop
After each audit cycle, cross-reference results against the risk profile. Processes where audits identified nonconformities or where objectives were not met escalate in frequency or scope for the next cycle. Processes with clean results and stable KPIs may reduce frequency. Document the programme review decision — this is the evidence trail for Clause 9.2.2(d) and the “maintained” requirement in Clause 9.2.2(a). Present the programme review output at management review under Clause 9.3.
Test Against the DIS Requirement
Before the transition audit, review the programme against the ISO DIS 9001:2025 defined-objectives requirement. Can each scheduled audit in the current cycle show a documented, differentiated objective? Does the objective connect to process performance data or risk profile? If the answer is no for any audit, the programme has a gap the transition auditor will find.
What This Means for the Transition
The final edition of the revised standard is expected in 2026. The transition period will follow IAF standard practice — typically three years from publication, though the exact timeline will be confirmed by IAF resolution after final publication. Organisations preparing for the ISO 9001 Clause 4 transition should recognise that Clause 9.2 carries comparable transition exposure.
There is no reason to wait. The current 2015 edition already requires risk-based frequency and feedback-loop integration at Clause 9.2.2. Rebuilding the programme now satisfies the existing requirement more defensibly and eliminates the structural gap before the transition auditor arrives.
The risk is not that the revision introduces something organisations haven’t seen. The risk is that it creates an evidence test for something they’ve been failing to do since 2015 — and their current programme structure cannot produce the evidence the test requires.
Key Takeaway
A fixed-rotation internal audit programme with no per-audit objectives is not a risk-based programme under ISO 9001:2015 Clause 9.2.2 — it’s a scheduling exercise that CBs have accepted in the absence of an enforcement benchmark. ISO DIS 9001:2025 supplies that benchmark by requiring defined objectives per audit. Organisations that rebuild frequency logic from process performance data and document differentiated objectives now will satisfy both the 2015 requirement as intended and the incoming revision. Those that add an “objectives” field to an unchanged annual template will find the transition auditor asking the question their programme was never designed to answer. What was this audit trying to determine — and why was this process audited at this frequency?
Clause mapping reflects common audit practice. Verify with your certification body for specific expectations.
About AEC International
AEC International provides ISO certification, training, and consultancy services at the intersection of quality management, audit programme design, and management system performance. We support organisations across industries in achieving and maintaining ISO certification — from gap analysis and implementation through audit preparation and continual improvement.
Learn more: www.aec.llc
Frequently Asked Questions
Q: What does ISO 9001 Clause 9.2.2 require for audit programme frequency?
A: Clause 9.2.2(b) requires the audit programme to account for the importance of the processes concerned, and Clause 9.2.2(d) requires it to consider the results of previous audits. Together, these create an obligation to calibrate audit frequency to process risk and corrective action history — not run a uniform annual rotation.
Q: What changes does ISO DIS 9001:2025 make to internal audit requirements?
A: The draft international standard adds an explicit requirement for defined objectives per audit. Under the current 2015 edition, programmes must define scope and criteria. Under the DIS, each audit must also document what it is specifically designed to determine, creating a per-audit evidence test.
Q: How do I convert a fixed-rotation audit schedule to a risk-based programme?
A: Build a process risk profile using corrective action data, KPI trends, and process change history. Score each process, calibrate frequency to risk level, define unique per-audit objectives tied to process performance questions, and build a documented feedback loop that adjusts frequency after each cycle.
Q: Will certification bodies reject fixed-rotation audit programmes during transition?
A: The DIS defined-objectives requirement creates an evidence test that CB auditors must assess. A programme with identical objectives across all audits provides documentable evidence that frequency was not differentiated by process risk — which is the gap the revision was designed to expose.